JGroupsENCRYPT

Encrypting entire messages (including headers)

A detailed description of ENCRYPT is found in the JGroups source (JGroups/doc/ENCRYPT.html).

Encryption by default only encrypts the message body, but doesn't encrypt message headers.

To encrypt the entire message (including all headers, plus destination and source addresses), the property has to be set to true. Also, ENCRYPT has to be below any protocols whose headers we want to encrypt, e.g.

Note that ENCRYPT sits below NAKACK and UNICAST, so the sequence numbers for these 2 protocols will be encrypted. Had ENCRYPT been placed below UNICAST but above NAKACK, then only UNICAST's headers (including sequence numbers) would have been encrypted, but not NAKACKs.

Note that it doesn't make too much sense to place ENCRYPT even lower in the stack, because then almost all traffic (eve merge or discovery traffic) will be encrypted, which may be somewhat of a performance drag.

When we encrypt an entire message, we have to marshal the message into a byte{FOOTNOTE DEF } buffer first and then encrypt it. This entails marshalling and copying of the byte{FOOTNOTE DEF } buffer, which is not so good performance wise...

Configuration Parameters

Name

Description

alias

Alias used for recovering the key. Change the default

asymAlgorithm

Cipher engine transformation for asymmetric algorithm. Default is RSA

asymInit

Initial public/private key length. Default is 512

asymProvider

Cryptographic Service Provider. Default is Bouncy Castle Provider

encrypt_entire_message

id

Give the protocol a different ID if needed so we can have multiple instances of it in the same stack

keyPassword

Password for recovering the key. Change the default

keyStoreName

File on classpath that contains keystore repository

level

Sets the logger level (see javadocs)

name

Give the protocol a different name if needed so we can have multiple instances of it in the same stack